A Tipping Point in Cybersecurity
Written by Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP, Member (FBI) InfraGard & HITRUST CSF Assessor Council.
In the future, when we look back, this Equifax data breach very well could be the tipping point for cybersecurity. A watershed moment.
Cybersecurity, for the next few years, will be a significant “C” level priority. Executives of healthcare organizations, as well as business associates, are beginning to realize that
Cyber Risk = Disruptive Business Risk!
This article is about what healthcare organizations (e.g. covered entities such as hospitals, insurance firms, clearing houses), as well as business associates, can all learn from the Equifax data breach.
We’ll close the article with bottom-line steps that executives must prioritize now to lower the risk of such a disruptive cyber event compromising their organization’s valued assets.
An organization that does not raise the priority of cybersecurity will experience impacts to business operations and finance that will be disruptive. Why? Let us just examine the impact of what we know about the massive Equifax data breach.
- 145.5 million records compromised
- Hundreds of thousands of records of European resident records compromised
- Hundreds of thousands of records of Canadian resident records compromised
- Hackers exploited a publicly identified vulnerability and ransacked Equifax systems
- Equifax did not discover the attack until at least four months after the event
- Timeline of events
- March 10, 2017 – systems were breached on this date
- July 29, 2017 – breach discovered
- September 7, 2017 – information about the breach was disclosed
- October 12, 2017 – Equifax shuts down part of its website, cites malicious code provided by a third party
- “C” level suite directly impacted. The CIO and CISO are no longer with the firm (retired about a week after the data breach disclosure)
- The CEO announced his resignation (September 26, 2017)
- Billions of dollars in class-action law suits
- Investigations underway by the FBI, FTC and several State Attorneys General
- Significant business disruption
It is likely that the amount of settlements reached as a result of the breach will include the letter “b”.
What Can Healthcare Organizations Learn From Equifax?
There are several lessons to be learned by senior executives, compliance professionals, IT staff and those with cybersecurity or compliance responsibilities, including CISOs, ISOs, CIOs, CTOs and security team members.
The facts are that Equifax had the patch for the mega breach, but did not install it. This patch was available two months before the hackers stole the information from Equifax. The breach was caused by a vulnerability in free, open-source software used to create Java Web applications. It is this Equifax error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: Failure to patch a vulnerability in Apache Struts – a Web application development framework – in a timely manner.
A single vulnerability in a Web component should not result in millions of highly sensitive records being exfiltrated. Layers of security controls should have existed and appropriately implemented. What about the encryption of such sensitive information so, even if the system may be compromised, the records are protected?
Background About the Exploited Vulnerability
The flaw in the backend software for Web applications called Apache Struts was identified by Nike Zheng, a Chinese cybersecurity researcher based in Shanghai, China. He provided the information to Apache which published it along with a patch on March 6, 2017. The flaw could be used to steal data from any company using the software. This flaw caught the attention of the global hacking community. Within 24 hours, the information was posted on a Chinese security Website, and also showed up the same day in Metasploit, a popular free hacking tool. On March 10, 2017, hackers scanning the Internet for computer systems vulnerable to the attack found the Equifax server.
The hackers then penetrated Equifax.
Over the next few weeks, the hackers accessed dozens of sensitive databases and created more than 30 separate entry points into the Equifax computer systems. By the
time the hackers were discovered on July 29, 2017, they were so deeply embedded that Equifax was forced to take the consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.
In late July 2017, Equifax discovered suspicious traffic on its system—and found the same security flaw still existed in some areas. The Equifax security staff addressed the problem, but by then it was too late.
History of Equifax Breaches
Around September 14, 2017, scores of accounts on Equifax’s Website in Argentina were, allegedly, protected by the same generic username and password: “admin.” Equifax promptly shut down the Website after news of this discovery.
In January 2017, Equifax confessed to a data leak wherein the credit information of a “small number” of customers at partner LifeLock had been exposed to another user of the latter’s online portal.
Further, Equifax reported a breach to the New Hampshire Attorney General, admitting that, between April 2013 and January 2014, an IP address operator was able to obtain credit reports using sufficient personal information to meet Equifax’s identity verification process. There were other smaller data leaks reported by Equifax to the AG, though they only appeared to affect a handful of people.
In May 2016, Equifax’s W-2 Express Website suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. A security researcher found a common vulnerability known as cross-site scripting (XSS) on the main Equifax Website. Such XSS bugs allow attackers to send specially-crafted links to Equifax customers and, if the target clicks through and is logged into the site, their username and password can be revealed to the hacker.
Who was Responsible for the Breach?
Similar intrusions in recent years at health insurer Anthem, Inc., and the U.S. Office of Personnel Management (OPM) were both ultimately attributed to hackers working for the Chinese intelligence. Some believe that it is likely that the initial breach by the first group, known as the entry crew, was handed off to a more sophisticated team of hackers.
Key Executive Fast Facts About the Equifax Breach
Key facts associated with the Equifax breach are summarized in Figure 1.
Breach Related Questions
Equifax Breach Description
|When did the breach occur?
|Breach started on about March 10, 2017
|When was the breach discovered?
|Breach was undetected until July 29, 2017
|When was the breach reported?
|Breach was reported on September 7, 2017
|What is the initial impact of the breach to Equifax?
|On September 12, multiple class-action lawsuits initiated likely in billions. Illinois, Massachusetts, and NY Attorney Generals (AGs) announced breach investigations. The FTC is investigating as well.
|Was this the first breach Equifax experienced?
|Equifax had smaller breaches in the previous years.
|How did the breach take place?
|Hackers exploited a vulnerability with a U.S. Website application Apache Struts (CVE 2017-5638). Then gained access to important consumer personal data elements.
|What specific personal data was compromised?
|Data elements compromised included SSN, DOB, addresses, birth dates – these data elements are vital for creating identities; and some driver license numbers were compromised.
|How many individuals were impacted?
|145.5 million individuals impacted. Also, 209,000 credit card numbers compromised, plus certain dispute documents with personal identifying information for approximately 182,000 consumers. Driver’s license data for around 10.9 million Americans was compromised. 15.2 million U.K. consumer records were compromised. Canadian consumers were affected by the breach as well.
Figure 1: Equifax Breach Description.
The stolen Equifax data could be monetized in several ways:
- Selling and reselling via the underground
- Updating existing, already stolen records about individual consumers that get bought and sold by cybercrime underground data brokers
- Taking over existing accounts – such as bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with bitcoin wallet holders) and retirement accounts
- Using it to build better dossiers, on potential individuals that nation-states or others might try to recruit or blackmail, for intelligence-gathering purposes
The Equifax Breach is an Industry Problem.
Experian, for example, has suffered more than 100 data breaches in recent years, and one of its subsidiaries sold data to a Vietnamese ID theft ring that committed fraud on a massive sale.
Bottom-line: Cyber Defense Strategy
Security is only as strong as the weakest link. Healthcare organizations, including business associates, must ensure that they are, on a regular basis, performing a comprehensive risk assessment to discover vulnerabilities that can be exploited.
The immediate lesson from the Equifax breach is about ensuring that organizations review their patch management and configuration management practices. Any policy and process must be influenced by standards such as PCI DSS, ISO 27001, and NIST Special Publications.
However, organizations must view this area of challenge as an opportunity to review and improve the full scope of the enterprise cybersecurity program. Think of the Japanese word, “kaizen,” that means continuous improvement.
The bottom-line recommendation for senior healthcare executives is to set the tone for cybersecurity as an enterprise priority. These seven areas are critical to address on a continual basis:
- Develop a credible and an approved cybersecurity strategy that resonates across the enterprise
- Implement a cybersecurity framework (e.g. HITRUST CSF)
- Conduct a comprehensive and thorough security risk assessment, at least annually
- Ensure a technical vulnerability assessment is performed quarterly, and a penetration testing, annually, on mission critical assets
- Perform a Business Impact Analysis (BIA)
- Develop a detailed IT Disaster Recovery Plan (DRP); test it regularly
- Create a cyber incident response plan
Cyber-attacks may not just disrupt, but potentially destroy valued data. 2018 will likely witness the cyber events of the past repeated. We must be prepared now.